Focus on IDS
An insider attack scenario Jun 10 2009 03:24PM
pamaclark yahoo com (8 replies)
AW: An insider attack scenario Jun 16 2009 09:56AM
Daniel, Akos (a daniel drillisch-telecom de)
Re: An insider attack scenario Jun 11 2009 10:05AM
Nick Besant (lists hwf cc)
Re: An insider attack scenario Jun 10 2009 07:59PM
Todd Haverkos (infosec haverkos com)
pamaclark (at) yahoo (dot) com [email concealed] writes:
> Hi,
> I'm new to IDS/IPS...
> Suppose a company has a large network, which is divided into several
> sub-network segments. Due to finance or staffs restrictions, the
> company could only use a limited number of sensors, hence leave some
> internal sub-networks unmonitored. I guess this is quite common in
> real world right?

Yeah, it's not uncommon. That theres any internal IDS in fact is
somewhat uncommon still. And a lot of clients aren't monitoring the
IDS they do have.

> So, if I were an inside attacker, I may find out sensor locations
> (either physical of logical locations) by fingerprinting the sensors
> as discussed in some previous threads or whatever tricks. Means I
> will know which sub-networks are monitored and others are not,
> right? So that I can launch attacks to those unmonitored network
> segments without being detected.

Sure. Or the attacker could blind the IPS or overwhelm any analyst
with so many alerts no one has achance to go through them all. snot
and sneeze are tools for doing so with spoofed ip's. They can light
up an IDS like a Christmas tree.

Or, if the attackers wants the stealth approach, and have the luxury
of time, the attacker can simply slow activity below the default
thresholds of the IDS in play since not many orgs modify the defaults
(or can afford to make them more sensitive than default). Some IDS
technologies are pretty primitive and can be avoided with subtle
permutations because they're overly reliant on exact signature
matching vs detecting the actual vulnerability.

> Does this sound plausible? And what current IDS/IPS technologies can
> be used to against this?

Rather than focusing on IDS technology overmuch, the mantras of
defense in depth and a risk management approach to the issues are
worth a thought. IDS is hampered with some necessary issues
(i.e. ability to be blinded, and that while you can crank it up to
detect everything, you don't have analyst staff to deal with

But you are doing a good thing paying attention to the inside network,
because there's still a folly out there of over-focus on the firewall
and perimeter while companies blithely let egress traffic out without
restriction, and every employee has relatively unfettered web access
whereby on-network assets can become rather easily compromised.

Credit to Chris Nickerson who is fond of saying the perimeter is dead
and is now located where the data is (not on the Internet edge).

Todd Haverkos

[ reply ]
Re: An insider attack scenario Jun 10 2009 07:04PM
Tommy May (tommymay comcast net)
Re: An insider attack scenario Jun 10 2009 07:03PM
Joel Esler (eslerj gmail com)
Re: An insider attack scenario Jun 10 2009 05:55PM
Jeremy Bennett (jeremyfb mac com)
Re: An insider attack scenario Jun 10 2009 05:46PM
Ron Gula (rgula tenablesecurity com)
Re: An insider attack scenario Jun 10 2009 05:12PM
Thrynn (thrynn404 gmail com)


Privacy Statement
Copyright 2010, SecurityFocus